Um 11:36 Uhr am 18.07.16 schrieb Carsten Leonhardt:
>>> Maybe we need some capabilites in the filesystem, like ping does have.
>>> CAP_DAC_READ_SEARCH seems about right: "Bypass file read permission
>>> checks and directory read and execute permission checks" Also needs
>>> more investigation.
>> I see from the source in src/lib/priv.c that Bacula already contains
>> support for capabilites and the binaries also link against libcap. But
>> this is Linux-only, isn't it? This would then not work on FreeBSD (or
>> Hurd), again complicating the init-scripts and package setup.
> yes, and I don't think that we will actively support this Debian. If
> someone wants to run bacula-fd like that, they will have to override the
> defaults somehow. With sysvinit, that would be possible in
> /etc/defaults/bacula-fd and IIRC someplace else with systemd.
We could set the needed capabilities (see other mail), if user then wants
to change the runtime user of bacula-fd, he would have less work to do.
Running bacula-fd as bacula:bacula could then be a simple switch in
/etc/defaults/bacula-fd (ENABLE_NONROOT=true) and a short notice how to
override the user for the systemd unit (no other clean way to do it from
defaults/bacula-fd, I am afraid).
Grüße,
Sven.